Using the Zscaler App Portal as an Identity Provider (IdP)

Overview

The Zscaler App Portal can function as an identity provider (IdP) for the Zscaler service. With this feature, users do not need to be tied to your organization’s standard identity provider (IdP) in order to authenticate to the Zscaler service. Instead, if your organization uses SAML-based single sign-on (SSO), the Zscaler App can use a device token to auto-provision and silently authenticate users and devices for the Zscaler service.

You can generate the device token in the Zscaler App Portal and pass the token to the App in an installer option. In addition, in the Zscaler admin portal, you must upload the Zscaler App IdP certificate and add the Zscaler App IdP URL as your SAML Portal URL. The App is then able to gather user ID and other relevant parameters from devices and send the information to the Zscaler cloud in SAML requests. The Zscaler App Portal parses and verifies the SAML requests, enabling the Zscaler cloud to provision and silently authenticate users.

Configuration

You must complete the following tasks to begin using the Zscaler App Portal as an IdP for Zscaler.

In the Zscaler App Portal:

  • Obtain the Zscaler App IdP URL.
  • Download the Zscaler App IdP Certificate.
  • Create the device token.

In the Zscaler admin portal:

  • Add the Zscaler App IdP URL as the SAML Portal URL.
  • Upload the Zscaler App IdP Certificate.

When installing the Zscaler App:

  • Pass the device token in an installer option.

Zscaler App Portal Steps:

  1. From the Zscaler admin portal, go to Policy > Zscaler App Portal.
  2. In the Zscaler App Portal, go to Administration from the top menu, then from the left menu, select Zscaler App IDP.
Zscaler App Portal Steps:
  1. Note the URL under IDP URL. You must enter this URL in the SAML Portal URL field in the Zscaler admin portal (as described in Zscaler Admin Portal Steps below).
  1. Click Download under Zscaler App IdP Certificate. You must upload this certificate to the Zscaler admin portal (as described in Zscaler Admin Portal Steps below).
  1. Under Manage Device Tokens, click Create Device Token.
  2. In the Create Device Token window, do the following:
    1. Enter Password: Enter a password that is at least six characters and includes an alphabetic character and a number.
    2. Token Description: Enter a description that helps you track each token.
    3. Click Create Token.

The token you generate appears in the table under Manage Device Tokens. You can create up to 8 tokens.

Zscaler Admin Portal Steps

In the Zscaler admin portal:

  1. Go to Administration > Authentication > Authentication Settings.
  2. In Authentication Type, choose SAML and click Configure SAML to open the New SAML or Edit SAML window.
  3. In the Identity Provider (IDP) Options section, complete the following:
    • SAML Portal URL: Enter the IDP URL obtained from the Zscaler App Portal.
    • Public SSL Certificate: Click Upload, and then click Choose File to navigate to the Zscaler App IdP certificate you downloaded from the Zscaler App Portal.
  4. In the Auto-Provisioning Options section:
    • Select Enable SAML Auto-Provisioning.
Zscaler Admin Portal Steps
  1. Click Save and activate the change.

Passing the Device Token

To use the Zscaler App as an IdP for your users, you must pass the device token to users' devices during installation. Below are instructions for passing the device token for Windows and Mac with the available installation options.

Windows: MSI Installer

Windows: EXE Installer

Mac: Installer App

Pass the Device Token in an MST File

Complete the following steps to use Orca to create an MST file that includes the device token.

  1. After opening Orca, click File, then Open. Double-click the MSI file.
  2. Click Transform, then click New Transform.
  3. In the Tables column, click Property. See image.
  4. Click Tables, then click Add Row.
  5. In the Add Row menu, enter the following and click OK:
  6. Property: DEVICETOKEN
  7. Value: Enter the device token you created in the Zscaler App Portal. See image.
  8. To save your changes, click Transform, and the click Generate Transform.
  9. In the Save Transform As menu, enter a file name and click Save.

    Note: You can use as many MSI Installer options as you need. To learn about additional MSI Installer options, see Create an MST File with Orca and Deploy It in "How do I deploy the MSI Installer Package to install the Zscaler App?"
  10. You can then deploy the MST file.
Pass the Device Token in an MST File

i1

i1

i2

i2

Run the MSI File with a Command Line Option

To deploy the MSI file and install the Zscaler App, use the following command line option with the property and values you want to configure:

msiexec /i "<complete_path>" /quiet DEVICETOKEN=<device_token> USERDOMAIN=<your_organization's_domain>

  • Replace <complete_path> with the complete path of the MSI installer. For example, "C:\Users\User\Downloads\Zscaler-windows-1.1.2.000025-installer.msi"
  • Note that "/quiet" specifies deploying the Zscaler App in silent mode.
  • Replace <device_token> with the device token you created in the Zscaler App Portal.

    Note: You can add as many MSI Installer options as you need. To learn about additional MSI Installer options, see Run the MSI File with a Command Line Option in "How do I deploy the MSI Installer Package to install the Zscaler App?"
Run the MSI File with a Command Line Option

Define the System Start-up Script to Install the Zscaler App

While deploying the Zscaler App in an AD environment, you can enter the command line option when you define the system start-up script to install the Zscaler App. In this example, Windows Server 2012 R2 is used.

  1. Select the GPO Policy and go to Computer Configuration > Policies > Windows Settings > Scripts > Startup. Double-click to open.
  2. Select Add to open a new wizard.
  3. In the Script Name field, specify the complete path of the Zscaler App installer. For example: '\\SERVER\\share\Zscaler-windows-1.1.2.000025-installer.exe'.
  4. Enter the following script parameters in the Script Parameters field:  
    • To install the Zscaler App in silent mode, use: --mode unattended
    • To pass the device token, use:
      --deviceToken <device_token> --userDomain <your_organization's_domain>
      • Replace <device_token> with the device token you created in the Zscaler App Portal.
      • Replace <your_organization's_domain> with your organization's domain. In this example, the organization's domain is "safemarch.com".

        Note that you can add as many parameters as you need. To learn about additional script parameters, see Define the System Start-up Script to Install the Zscaler App in "How do I deploy the EXE installer file to install the Zscaler App?"
  5. Click OK. See image.
  6. Click Apply to apply the changes to the policy and execute ‘gpupdate.exe /force’.
  7. Remotely reboot the OU computers on which you want to install the Zscaler App with the following command:
    ‘shutdown.exe –r –m \\Remote-Computer-Name –t 0’

i4

i4

Run the EXE Installer File with a Command Line Option

To deploy the EXE file and install the Zscaler App, use the following command line options with the complete path of the EXE installer. In this example, the complete path is "C:\Users\User\Downloads\Zscaler-windows-1.1.2.000025-installer.exe".

  • To install the Zscaler App in silent mode, run the EXE installer file with the following command line option: --mode unattended
  • To pass the device token, run the EXE installer file with the following command line option:
    --deviceToken <device_token> --userDomain <your_organization's_domain>
    • Replace <device_token> with the device token you created in the Zscaler App Portal.

      Note that you can add as many command line options as you need. To learn about additional command line options, see Run the EXE Installer File with a Command Line Option in "How do I deploy the EXE installer file to install the Zscaler App?"
Run the EXE Installer File with a Command Line Option

Mac OS X

  • To pass the device token, use the following command line:  
    sudo sh <download_location>/Contents/MacOS/installbuilder.sh --deviceToken <device_token> --cloudName <zscaler_cloud>
    • Replace <download_location> with the location of the unzipped installer app.
    • Replace <device_token> with the device token you created in the Zscaler App Portal.
    • Replace <zscaler_cloud> with your cloud name. For example, if your cloud name is zscalertwo.net, use "--cloudName zscalertwo"

      To learn how to find your Zscaler cloud, see What is my cloud name?
Mac OS X